Summary:
In this episode of the Exploring Information Security podcast, host Timothy De Block sits down with Jason Gillam, long-time developer turned penetration tester and partner at Secure Ideas. The two dive into the real-world value of Content Security Policy (CSP) and why it remains one of the most underutilized tools in web application defense.
Jason shares insights from his upcoming talk at ShowMeCon 2025, including surprising statistics from his analysis of over 750,000 domains, where he found that most CSPs are either missing or misconfigured. He breaks down how CSP works, its role in protecting against injection attacks, and strategies for implementing it properly using nonces, hashes, and report-only modes.
They also discuss:
The challenges of educating developers on CSP
CSP vs. WAF and where each fits in the security stack
How AI and CI/CD can support secure CSP deployment
The importance of building security into code rather than bolting it on later
Whether you're a developer, security professional, or somewhere in between, this episode offers practical and actionable advice on improving your web application security posture.
Mentioned Resources:
Use the promo code “ExploringSec” to get $50 off your registration
Showmecon Links and Resources:
Learn more about ShowMeCon: showmecon.com
Register for Training or the Conference: Registration Link
Event Venue and Room Block Information: Ameristar Casino & Resort
Connect with the Founder of ShowMeCon Dave Chronister: LinkedIn Profile
Connect with the Head Organizer for ShowMeCon Brooke Deneen: LinkedIn Profile
Support the Podcast:
Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.
Contact Information:
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.